Optimizing Log Rotation and Management in Bro Network Security Tool

labrotory n.w
1 / 28
Embed
Share

Discover best practices for rotating and managing logs efficiently in Bro network security tool to prevent CPU spikes, power loss issues, and system reboots. Learn about atomic operations, file compression, and serialization techniques to enhance log handling and ensure data integrity.

  • Log Rotation
  • Network Security
  • Atomic Operations
  • File Compression
  • Data Management
rayaanacharya
szai Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Labrotory 2018

  2. Lazeektory 2018

  3. Atomic Rotation

  4. How does bro rotate/archive logs? mv conn.log conn-yaddayadda.log gzip < conn-yaddayadda.log > .../2018/10/10/conn.09:00:00-10:00:00.gz What happens if? Power loss Reboot OOM Something is trying to read .gz files as they are created

  5. Atomic operations Atomic mv (on same filesystem) Not Atomic cp mv (across filesystems) curl -o file.csv http://example.com/file.csv gzip < in > out

  6. Solution? mv (across filesystem) cp src dst.tmp && mv dst.tmp dst && rm src (mv will do cp src dst && rm src) Compress gzip < src > dst.tmp && mv dst.tmp dst && rm src

  7. How does bro rotate/archive logs? gzip < conn-yaddayadda.log > .../conn.09:00:00-10:00:00.gz & gzip < dns-yaddayadda.log > .../dns.09:00:00-10:00:00.gz & gzip < http-yaddayadda.log > .../http.09:00:00-10:00:00.gz & gzip < ssl-yaddayadda.log > .../ssl.09:00:00-10:00:00.gz &

  8. Serialize! Bro side mv conn-yaddayadda.log /bro/logs/log_queue/conn & mv http-yaddayadda.log /bro/logs/log_queue/http & External tool for each file in /bro/logs/log_queue Atomically rotate $file

  9. No more Spike in CPU Usage

  10. bro-atomic-rotate https://github.com/ncsa/bro-atomic-rotate

  11. Cluster::publish_hrw

  12. Before: worker2manager events module Mod; global my_event: event(source: addr); redef Cluster::worker2manager_events += /Mod::my_event/; event connection_established(c: connection) { local src = c$id$orig_h; event Mod::my_event(src); #magically sent to manager }

  13. Before: worker2manager events globals conns: table[addr] of count &default=0; @if ( Cluster::local_node_type() == Cluster::MANAGER ) event my_event(src) { if(++conns[src] > 100) NOTICE([...]) } @endif

  14. Before: worker2manager events Worker-1 Worker-2 Manager Worker-3 Worker-n

  15. Before: worker2manager events Worker-1 -> Manager event my_event(10.10.10.1); Worker-2 -> Manager event my_event(10.10.10.2); Worker-3 -> Manager event my_event(10.10.10.1); Worker-4 -> Manager event my_event(10.10.10.2); Worker-1 -> Manager event my_event(10.10.10.3); Worker-2 -> Manager event my_event(10.10.10.4);

  16. Before: worker2manager events Manager sees 6 events and stores: Manager sees 6 events and stores: 10.10.10.1 = 2 10.10.10.2 = 2 10.10.10.3 = 1 10.10.10.4 = 1

  17. After: Cluster::publish_hrw module Mod; global my_event: event(source: addr); event connection_established(c: connection) { local src = c$id$orig_h; Cluster::publish_hrw(Cluster::proxy_pool, src, #hash key Mod::my_event, src); }

  18. After: Cluster::publish_hrw globals conns: table[addr] of count &default=0; event my_event(src) { if(++conns[src] > 100) NOTICE([...]) }

  19. After: Cluster::publish_hrw Worker-1 Proxy-1 Worker-2 Proxy-2 Worker-3 Worker-n

  20. After: Cluster::publish_hrw Worker-1 -> Proxy-1 event my_event(10.10.10.1); Worker-2 -> Proxy-2 event my_event(10.10.10.2); Worker-3 -> Proxy-1 event my_event(10.10.10.1); Worker-4 -> Proxy-2 event my_event(10.10.10.2); Worker-1 -> Proxy-2 event my_event(10.10.10.3); Worker-2 -> Proxy-1 event my_event(10.10.10.4);

  21. After: Cluster::publish_hrw Proxy Proxy- -1 sees 3 events and stores: 1 sees 3 events and stores: 10.10.10.1 = 2 10.10.10.4 = 1 Proxy Proxy- -2 sees 3 events and stores: 2 sees 3 events and stores: 10.10.10.2 = 2 10.10.10.3 = 1

  22. bro-zeromq-writer

  23. Bro Side @load NCSA/ZeroMQWriter redef LogZeroMQ::endpoint = "tcp://127.0.0.1:9999";

  24. ZMQ Side context = zmq.Context() socket = context.socket(zmq.SUB) socket.bind( tcp://*:9999 ) socket.setsockopt_string(zmq.SUBSCRIBE, * ) while True: stream = socket.recv_string() entry = socket.recv_string() rec = json.loads(entry) print(stream, rec)

  25. bro-zeromq-writer

  26. libflowbypass

  27. libflowbypass

Related


Demi-Regularity in Realist Evaluation

Demi-Regularity in Realist Evaluation

harvey
Building Resilience: Stories of Strength and Perseverance

Building Resilience: Stories of Strength and Perseverance

siena
Optimal Care Considerations in General Practice Scenarios

Optimal Care Considerations in General Practice Scenarios

darcey
Sentence Structure: Phrases, Clauses, and Compound Sentences

Sentence Structure: Phrases, Clauses, and Compound Sentences

yant_le
Meet Zoe Toutzari and Her Wonderful Circle of Family and Friends

Meet Zoe Toutzari and Her Wonderful Circle of Family and Friends

xpedl
Insights from the Ante-Nicene Fathers and Saints of Christianity

Insights from the Ante-Nicene Fathers and Saints of Christianity

elas247
African Monsoon Recent Evolution and Outlook Update by Justin Hicks

African Monsoon Recent Evolution and Outlook Update by Justin Hicks

car_bil
DePauw University Medicare Benefits Program Overview

DePauw University Medicare Benefits Program Overview

quin_er
Update on Advisory Committee Meeting and Accreditation Staff Members

Update on Advisory Committee Meeting and Accreditation Staff Members

bra_sie
Math Fundamentals: Matrices and Vectors in EECS 442

Math Fundamentals: Matrices and Vectors in EECS 442

rart300
Exploring Vibrato in Stringed Instruments and Voices

Exploring Vibrato in Stringed Instruments and Voices

tah_gas
Course Wrap-Up: CSE333 Spring 2018 Overview

Course Wrap-Up: CSE333 Spring 2018 Overview

abald
Analysis of Political and Economic Factors in the U.S. Mortgage Default Crisis

Analysis of Political and Economic Factors in the U.S. Mortgage Default Crisis

jen_ili
Cybersecurity Work Updates: Week 10/30

Cybersecurity Work Updates: Week 10/30

mwhid
Innovative Robotics Project at Belfry High School

Innovative Robotics Project at Belfry High School

balbuena_c
Exploration of Religiosity and Contrarian Thinking in Cognitive Science

Exploration of Religiosity and Contrarian Thinking in Cognitive Science

baon131
Careers and Education in Law Enforcement Pathway

Careers and Education in Law Enforcement Pathway

dem_roz
The Afterlife: Insights from Douglas Jacoby

The Afterlife: Insights from Douglas Jacoby

rogil
CSS Animation

CSS Animation

chamness_j
Study Recommendations: District Size Adjustment

Study Recommendations: District Size Adjustment

montrel_g
Introduction to Systems Programming

Introduction to Systems Programming

pame_5
JITT AT WITT: A HYBRID APPROACH

JITT AT WITT: A HYBRID APPROACH

naiti

More Related Content